Patch for critical Openssl vulnerability

[kallisti5]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

A critical vulnerability is incoming for OpenSSL 3.0.0 - 3.0.6

https://xeiaso.net/blog/openssl-3.x-secvuln-incoming
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Traefik should be prepared to scan containers for OpenSSL 3.0.0 - 3.0.6 and upgrade them to 3.0.7 as it becomes available

What did you see instead?

Insecure TLS lol

What version of Traefik are you using?

any version with openssl 3.0.0 - 3.0.6

What is your environment & configuration?

# (paste your configuration here)

Add more configuration information here.

If applicable, please paste the log output in DEBUG level

No response

[kallisti5]

As I understand it, updating to openssl-3.0.7 will be an absolute sprint to apply once it is disclosed Tuesday. Please be ready traefik team to update containers ASAP once the fix is dropped.

[ldez]

Hello,

we don't use OpenSSL, so we are not affected.

And if the alpine layer is affected it will be automatically updated by Docker itself because we are using the official Docker image process.

[kallisti5]

Ok... y'all missed the hint.
https://groups.google.com/g/golang-announce/c/dRtDK7WS78g

Go statically links openssl into it's standard libraries. Resulting go binaries are statically linked as well. You have a libssl.a in your traefik binaries.

"We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1."

tldr; any traefik binary compiled with go 1.19.x and 1.18.x and using crypto/tls (which you are via qtls) are likely subject to this vulnerability.

[ldez]

Go statically links openssl into it's standard libraries. Resulting go binaries are statically linked as well. You have a libssl.a in your traefik binaries.

I'm not sure about that because Go implemented its own TLS library (it's the package crypto/tls) and doesn't rely on OpenSSL.

https://groups.google.com/g/golang-nuts/c/0za-R3wVaeQ

But it's possible that Go and OpenSSL have the same bug.

[kallisti5]

If that's the case, then yeah Traefik would be safe (as long as it isn't some overall design flaw). The fact that golang is updating for a "private" vulnerability could indicate a protocol design issue though as you said.

As for container packages, I confirmed libssl in the latest traefik container is:

• libssl1.1-1.1.1q-r0 x86_64 {openssl} (OpenSSL) [installed]
  That's too old to be in scope per what is known so far.

Anyway, as long as y'all are aware of its looming potential i'm happy. If it's a server-side vulnerability, Traefik would be a prime target since it terminates SSL connections for a lot of infrastructure on the internet.

[ldez]

For the record, the Go security fixes being released tomorrow
are unrelated to the OpenSSL CRITICAL security patch release
that is by an unlucky coincidence also happening tomorrow.

https://groups.google.com/g/golang-announce/c/dRtDK7WS78g/m/T5pVQ7PoAQAJ